Support for JFrog Advanced Security (JAS) in scan command (jfrog#407)

Author: guyshe-jfrog

commands/scan/dockerscan.go

@@ -84,7 +84,7 @@ func (dsc *DockerScanCommand) Run() (err error) {
 		Pattern(imageTarPath).
 		Target(dsc.resultsContext.RepoPath).
 		BuildSpec()).SetThreads(1)
-	dsc.ScanCommand.SetTargetNameOverride(dsc.imageTag).SetRunJasScans(true)
+	dsc.ScanCommand.SetTargetNameOverride(dsc.imageTag)
 	err = dsc.setCredentialEnvsForIndexerApp()
 	if err != nil {
 		return errorutils.CheckError(err)

commands/scan/scan.go

@@ -53,6 +53,8 @@ const (
 	BypassArchiveLimitsMinXrayVersion = "3.59.0"
 	indexingCommand                   = "graph"
 	fileNotSupportedExitCode          = 3
+	typeJASPackageScanTypeDocker      = "docker"
+	typeJASPackageScanTypeGeneric     = "generic"
 )
 
 type ScanCommand struct {
@@ -70,9 +72,7 @@ type ScanCommand struct {
 	bypassArchiveLimits bool
 	fixableOnly         bool
 	progress            ioUtils.ProgressMgr
-	// JAS is only supported for Docker images.
-	commandSupportsJAS bool
-	targetNameOverride string
+	targetNameOverride  string
 
 	resultsContext results.ResultContext
 
@@ -97,11 +97,6 @@ func (scanCmd *ScanCommand) SetFixableOnly(fixable bool) *ScanCommand {
 	return scanCmd
 }
 
-func (scanCmd *ScanCommand) SetRunJasScans(run bool) *ScanCommand {
-	scanCmd.commandSupportsJAS = run
-	return scanCmd
-}
-
 func (scanCmd *ScanCommand) SetTargetNameOverride(targetName string) *ScanCommand {
 	scanCmd.targetNameOverride = targetName
 	return scanCmd
@@ -343,7 +338,7 @@ func (scanCmd *ScanCommand) initScanCmdResults(cmdType utils.CommandType) (xrayM
 	cmdResults.SetStartTime(scanCmd.startTime)
 	cmdResults.SetResultsContext(scanCmd.resultsContext)
 	// Send entitlement request
-	if entitledForJas, err := isEntitledForJas(xrayManager, scanCmd.xrayVersion, scanCmd.commandSupportsJAS); err != nil {
+	if entitledForJas, err := isEntitledForJas(xrayManager, scanCmd.xrayVersion); err != nil {
 		return xrayManager, cmdResults.AddGeneralError(err, false)
 	} else {
 		cmdResults.SetEntitledForJas(entitledForJas)
@@ -354,11 +349,7 @@ func (scanCmd *ScanCommand) initScanCmdResults(cmdType utils.CommandType) (xrayM
 	return
 }
 
-func isEntitledForJas(xrayManager *xrayClient.XrayServicesManager, xrayVersion string, useJas bool) (bool, error) {
-	if !useJas {
-		// No jas scans are needed
-		return false, nil
-	}
+func isEntitledForJas(xrayManager *xrayClient.XrayServicesManager, xrayVersion string) (bool, error) {
 	return jas.IsEntitledForJas(xrayManager, xrayVersion)
 }
 
@@ -470,6 +461,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults
 				if !cmdResults.EntitledForJas {
 					return
 				}
+
 				module, err := getJasModule(targetResults)
 				if err != nil {
 					return targetResults.AddTargetError(fmt.Errorf("%s jas scanning failed with error: %s", scanLogPrefix, err.Error()), false)
@@ -494,17 +486,29 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults
 					log.Debug("Jas scanner was not created, skipping advance security scans...")
 					return
 				}
+				secretsScanType := secrets.SecretsScannerGenericScanType
+				applicabilityScanType := applicability.ApplicabilityGenericScanScanType
+				if cmdResults.CmdType == utils.DockerImage || targetResults.Technology == techutils.Docker || targetResults.Technology == techutils.Oci {
+					log.Debug("Found root component is a docker container")
+					secretsScanType = secrets.SecretsScannerDockerScanType
+					applicabilityScanType = applicability.ApplicabilityDockerScanScanType
+				} else {
+					_, _, componentType := techutils.SplitComponentId(graph.Id)
+					log.Debug("Found root component is not a docker container, type is: ", componentType)
+				}
+
 				jasParams := runner.JasRunnerParams{
 					Runner:             jasFileProducerConsumer,
 					ServerDetails:      scanCmd.serverDetails,
 					Scanner:            scanner,
 					Module:             module,
 					ScansToPerform:     utils.GetAllSupportedScans(),
-					SecretsScanType:    secrets.SecretsScannerDockerScanType,
+					SecretsScanType:    secretsScanType,
 					DirectDependencies: directDepsListFromVulnerabilities(*graphScanResults),
-					ApplicableScanType: applicability.ApplicabilityDockerScanScanType,
+					ApplicableScanType: applicabilityScanType,
 					ScanResults:        targetResults,
 				}
+
 				if generalError := runner.AddJasScannersTasks(jasParams); generalError != nil {
 					return targetResults.AddTargetError(fmt.Errorf("%s failed to add Jas scan tasks: %s", scanLogPrefix, generalError.Error()), false)
 				}

jas/applicability/applicabilitymanager.go

@@ -21,8 +21,9 @@ const (
 	applicabilityScanCommand   = "ca"
 	applicabilityDocsUrlSuffix = "contextual-analysis"
 
-	ApplicabilityScannerType        ApplicabilityScanType = "analyze-applicability"
-	ApplicabilityDockerScanScanType ApplicabilityScanType = "analyze-applicability-docker-scan"
+	ApplicabilityScannerType         ApplicabilityScanType = "analyze-applicability"
+	ApplicabilityDockerScanScanType  ApplicabilityScanType = "analyze-applicability-docker-scan"
+	ApplicabilityGenericScanScanType ApplicabilityScanType = "analyze-applicability-generic-scan"
 )
 
 type ApplicabilityScanType string

jas/secrets/secretsscanner.go

@@ -19,8 +19,9 @@ const (
 	secretsScanCommand   = "sec"
 	secretsDocsUrlSuffix = "secrets"
 
-	SecretsScannerType           SecretsScanType = "secrets-scan"        // #nosec
-	SecretsScannerDockerScanType SecretsScanType = "secrets-docker-scan" // #nosec
+	SecretsScannerType            SecretsScanType = "secrets-scan"         // #nosec
+	SecretsScannerDockerScanType  SecretsScanType = "secrets-docker-scan"  // #nosec
+	SecretsScannerGenericScanType SecretsScanType = "secrets-generic-scan" // #nosec
 )
 
 type SecretsScanType string

scans_test.go

@@ -56,6 +56,42 @@ func TestXrayBinaryScanSimpleJson(t *testing.T) {
 	})
 }
 
+func TestXrayBinaryScanJsonDocker(t *testing.T) {
+	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
+	output := testXrayBinaryScanJAS(t, string(format.SimpleJson), "xmas.tar", false)
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
+		Total: &validations.TotalCount{Vulnerabilities: 6},
+		Vulnerabilities: &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 4, Secrets: 2},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 2, NotApplicable: 1, NotCovered: 1},
+		},
+	})
+}
+
+func TestXrayBinaryScanJsonGeneric(t *testing.T) {
+	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
+	output := testXrayBinaryScanJAS(t, string(format.SimpleJson), "backupfriend-client.tar.gz", false)
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
+		Total: &validations.TotalCount{Vulnerabilities: 4},
+		Vulnerabilities: &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 3, Secrets: 1},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 2, Undetermined: 1},
+		},
+	})
+}
+
+func TestXrayBinaryScanJsonJar(t *testing.T) {
+	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
+	output := testXrayBinaryScanJAS(t, string(format.SimpleJson), "student-services-security-0.0.1.jar", false)
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
+		Total: &validations.TotalCount{Vulnerabilities: 41},
+		Vulnerabilities: &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 40, Secrets: 1},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 17, NotCovered: 3, NotApplicable: 20},
+		},
+	})
+}
+
 func TestXrayBinaryScanJsonWithProgress(t *testing.T) {
 	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
 	callback := commonTests.MockProgressInitialization()
@@ -94,6 +130,21 @@ func testXrayBinaryScan(t *testing.T, format, policyName, watchName string, erro
 	return output
 }
 
+func testXrayBinaryScanJAS(t *testing.T, format, artifact string, errorExpected bool) string {
+	tempDirPath, cleanUp := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", "jas-scan"))
+	defer cleanUp()
+
+	binariesPathTemp := filepath.Join(tempDirPath, artifact)
+	args := []string{"scan", binariesPathTemp, "--format=" + format}
+	output, err := securityTests.PlatformCli.RunCliCmdWithOutputs(t, args...)
+	if errorExpected {
+		assert.Error(t, err)
+	} else {
+		assert.NoError(t, err)
+	}
+	return output
+}
+
 func TestXrayBinaryScanWithBypassArchiveLimits(t *testing.T) {
 	integration.InitScanTest(t, scan.BypassArchiveLimitsMinXrayVersion)
 	unsetEnv := clientTestUtils.SetEnvWithCallbackAndAssert(t, "JF_INDEXER_COMPRESS_MAXENTITIES", "10")
@@ -210,12 +261,12 @@ func runAdvancedSecurityDockerScan(t *testing.T, testCli *coreTests.JfrogCli, im
 		// Run docker scan on image
 		output := testCli.WithoutCredentials().RunCliCmdWithOutput(t, args...)
 		if assert.NotEmpty(t, output) {
-			verifyAdvancedSecurityScanResults(t, output)
+			verifyAdvancedSecurityScanResults(t, output, true, true)
 		}
 	}
 }
 
-func verifyAdvancedSecurityScanResults(t *testing.T, content string) {
+func verifyAdvancedSecurityScanResults(t *testing.T, content string, isApplicable bool, isSecret bool) {
 	var results formats.SimpleJsonResults
 	err := json.Unmarshal([]byte(content), &results)
 	assert.NoError(t, err)
@@ -227,11 +278,18 @@ func verifyAdvancedSecurityScanResults(t *testing.T, content string) {
 			break
 		}
 	}
-	assert.True(t, applicableStatusExists)
 
-	// Verify that secretes detection succeeded.
-	assert.NotEqual(t, 0, len(results.SecretsVulnerabilities))
+	if isApplicable {
+		assert.True(t, applicableStatusExists)
+	}
 
+	if isSecret {
+		// Verify that secretes detection succeeded.
+		assert.NotEqual(t, 0, len(results.SecretsVulnerabilities))
+	} else {
+		// Verify that secretes detection succeeded.
+		assert.Equal(t, 0, len(results.SecretsVulnerabilities))
+	}
 }
 
 // Curation tests

tests/testdata/projects/jas-scan/backupfriend-client.tar.gz

@@ -33,6 +33,7 @@ const (
 type TokenValidationStatus string
 
 type JasScanType string
+type JasPackageScanType string
 
 func (jst JasScanType) String() string {
 	return string(jst)

tests/testdata/projects/jas-scan/student-services-security-0.0.1.jar

@@ -69,9 +69,10 @@ func (rc *ResultContext) HasViolationContext() bool {
 type TargetResults struct {
 	ScanTarget
 	// All scan results for the target
-	ScaResults *ScaScanResults  `json:"sca_scans,omitempty"`
-	Sbom       Sbom             `json:"sbom,omitempty"`
-	JasResults *JasScansResults `json:"jas_scans,omitempty"`
+	ScaResults         *ScaScanResults             `json:"sca_scans,omitempty"`
+	Sbom               Sbom                        `json:"sbom,omitempty"`
+	JasResults         *JasScansResults            `json:"jas_scans,omitempty"`
+	JasPackageScanType jasutils.JasPackageScanType `json:"jas_package_scan_type,omitempty"`
 	// Errors that occurred during the scans
 	Errors      []error    `json:"errors,omitempty"`
 	errorsMutex sync.Mutex `json:"-"`